b"U.S. DEPARTMENT OF COMMERCE\n\n          Office of Inspector General\n\n\n\n\n\n                National Oceanic and\n          Atmospheric Administration\n\n           FY 2008 FISMA Assessment of\n                National Weather Service\n            Telecommunication Gateway\n                           (NOAA8871)\n\n\n  Final Inspection Report No. OSE-19000/September 2008\n\n\n\n\n                             Office of Systems Evaluation\n\x0c                                                      UNITED STATES DEPARTMENT OF COMMERCE\n                                                      Office of Inspector General\n                                                      Washington, D.C. 20230\n\n\n\n                                                                   SEP 2 2 2008\nMEMORANDUM FOR:\t Vice Admiral Conrad C. Lautenbacher, Jr., USN (Ret.)\n                 Under Secretary of Commerce for Oceans and Atmosphere\n                 and NOAA Administrator\n\n                             Mary M. Glackin\n                             Deputy Under Secretary of Commerce for Oceans and\n                             Atmosphere\n\n                             ~~.~\nFROM:                        Judith J. Gordon\n                             Assistant Inspector General for Audit and Evaluation\n\nSUBJECT:                     National Weather Service\n                             FY 2008 FISMA Assessment ofNWS Telecommunication\n                             Gateway (NOAA8871)\n                             Final Inspection Report No. OSE-19000\n\n\nThis report presents the results of our Federal Information Securi~ Management Act\n(FISMA) review of the certification and accreditation ofthe NWS Telecommunication\nGateway system. We found that the system security plan did not provide an adequate\nbasis to conduct the security certification and NWS needs to improve its security control\nassessments to assure that controls are implemented correctly and operating as intended.\n\nIn response to our draft report, NOAA, with one exception, agreed with our findings and\ndescribed corrective actions that are fully responsive to all our recommendations.\nNOAA's response is summarized in the appropriate sections ofthe report and included in\nit entirety as appendix B.\n\nWe request that you provide us an action plan describing the actions you have taken or\nplan to take in response to our recommendations within 60 calendar days of the date of\nthis report. The plan should be in the form of plans of action and milestones (POA&Ms)\nas required by FISMA.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our\nevaluation. If you would like to discuss any of the issues raised in this report, please call\nme at (202) 482-2754 or Allen Crawley, Deputy Assistant Inspector General for Systems\nEvaluation at (202) 482-1855.\n\x0cAttachment\n\ncc:\t   Suzanne Hilding, ChiefInformation Officer, U.S. Department of Commerce\n       Joe Klimavicz, ChiefInformation Officer, National Oceanic and Atmospheric\n          Administration\n       Dr. Jack L. Hayes, Assistant Administrator for Weather Services, National Weather\n           Service\n       Adrian R. Gardner, Chief Information Officer, National Weather Service\n\x0c                                     OIG FY 2008 FISMA Assessment\n\n\n    Listing of Abbreviated Terms & Acronyms\n    C&A \n                                             Certification and Accreditation\n    DISA \n                                            Defense Information Systems Agency\n    FIPS \n                                            Federal Information Processing Standards\n    FISMA \n                                           Federal Information Security Management\n                                                      Act of 2002\n\n\n    IP \n                                              Internet Protocol\n    ISSO \n                                            Information System Security Officer\n    IT \n                                              Information Technology\n    NIST \n                                            National Institute of Standards and\n                                                      Technology\n    NOAA                                              National Oceanic and Atmospheric\n                                                      Administration\n    NWS \n                                             National Weather Service\n    NWSTG \n                                           National Weather Service\n                                                      Telecommunication Gateway\n    OIG \n                                             Office of Inspector General\n    OMB \n                                             Office of Management and Budget\n    POA&M \n                                           Plan of Action and Milestones\n    RPC \n                                             Remote Procedure Call\n    SAR \n                                             Security Assessment Report\n    SSP \n                                             System Security Plan\n    ST&E \n                                            Security Testing and Evaluation\n    TOC \n                                             Telecommunication Operations Center\n\n\n\xe2\x80\xa2                                                                                                       \xe2\x80\xa2\n    Synopsis of Findings\n\n      \xe2\x80\xa2\t     Security controls were not adequately defined prior to the certification phase or in the\n             approved system security plan.\n\n      \xe2\x80\xa2\t     Secure configuration settings were not defined for some IT products and none were\n             assessed.\n\n      \xe2\x80\xa2\t     Certification assessments were incomplete and flawed.\n\n      \xe2\x80\xa2\t     OIG assessment of selected security controls found significant weaknesses not\n             identified by the NWS security certification.\n\n    Conclusion\n      \xe2\x80\xa2\t     NWS needs to improve security control assessments to assure that controls are\n             implemented correctly, operating as intended, and meeting the security requirements\n             for the system.\n\n\n\n\n                                                 Page 2\n\x0c                                  OIG FY 2008 FISMA Assessment\n\nSummary of NOAA Response\n\nIn its response to our draft report, NOAA, with one exception, agreed with our findings. NOAA\nnoted that, although the SSP was not signed when certification testing began, it had been\nfavorably reviewed by NWS\xe2\x80\x99 information technology security officer and the system\xe2\x80\x99s authorizing\nofficial.\n\nAlso, NOAA concurred with all our recommendations and identified actions it will take to address\nthem. These actions include the remediation of specific vulnerabilities, reassessments of security\ncontrol implementations, updates to security requirements, and changes to hiring processes,\nsecurity training, and C&A contract requirements.\n\nNOAA\xe2\x80\x99s written response is included in its entirety as appendix B of this report.\n\n\nOIG Comments\n\nNOAA\xe2\x80\x99s response took exception with the first finding that stated the security certification began\nbefore the SSP was formally reviewed and approved. Although NOAA asserts that the\nauthorizing official and NWS\xe2\x80\x99 senior IT security officer had reviewed the SSP before beginning\nsecurity certification, the SSP was not approved until after the accreditation decision. Department\npolicy and NIST Special Publication 800-37, Guide for the Security Certification and Accreditation\nof Federal Information Systems, require approval of the SSP by the authorizing official and senior\nagency information security officer to ensure the set of security controls specified in the SSP\nmeet the security requirements for the information system before advancing to the security\ncertification phase.\n\nThe corrective actions described by NOAA are responsive to our recommendations.\n\n\n\n\n                                              Page 3\n\x0c                               OIG FY 2008 FISMA Assessment\n\n\n\nIntroduction\n The National Weather Service Telecommunication Gateway (NWSTG) supports the\n National Weather Service\xe2\x80\x99s (NWS\xe2\x80\x99) mission to collect, process, and disseminate national\n and international meteorological data and products in real time. Other governmental\n agencies, the private sector, the general public, and the global community also use the\n system\xe2\x80\x99s data.\n\n NWS has categorized NWSTG                          system, which means that a security\n breach could be expected to have                                    effect on organizational\n operations, organizational assets, or individuals.\n\n The system interconnects with numerous other systems worldwide via various protocols.\n Network components (primarily         firewalls, routers, and switches) regulate the flow of\n internal and external communications. The system comprises                         , and\n Windows servers that gather, process, and disseminate meteorological information and\n manage the system infrastructure. Workstations are used for interacting with and monitoring\n the system. Key applications in the system include databases and Web servers.\n\n\n\n\n                                           Page 4\n\x0c                                OIG FY 2008 FISMA Assessment\n\nFindings and Recommendations\n\n 1. Security Controls Were Not Adequately Defined Prior to the\n    Certification Phase or in the Approved System Security Plan\n\n  \xe2\x80\xa2\t   NWS began the security certification before the security controls were adequately\n       defined and the SSP was formally reviewed and approved, resulting in an ineffective\n       C&A process.\n         o\t According to the SAR, certification assessments began around March 2, 2007 but\n             the SSP was not approved until the system was accredited on March 22, 2007.\n\n  \xe2\x80\xa2\t   The SSP did not adequately define the control enhancements required for\n              system or the organization-defined security control parameters. It also\n       mistakenly identified controls as NOAA common controls. (The following totals do not\n       include organization-defined parameters and security control enhancements identified\n       as planned or controls accurately identified as NOAA common controls.)\n         o\t The SSP did not define 24 of        security control enhancements required for a\n                  impact system.\n                 \xc2\x83 AC-17        \xe2\x80\x93 Remote Access\n                 \xc2\x83 AU-2                \xe2\x80\x93 Auditable Events\n                 \xc2\x83 CM-2        \xe2\x80\x93 Baseline Configuration\n                 \xc2\x83 CM-3        \xe2\x80\x93 Configuration Change Control\n                 \xc2\x83 CP-2        \xe2\x80\x93 Contingency Plan\n                 \xc2\x83 CP-3        \xe2\x80\x93 Contingency Training\n                 \xc2\x83 CP-4 (          \xe2\x80\x93 Contingency Plan Testing\n                 \xc2\x83 CP-6 (          \xe2\x80\x93 Alternate Storage Sites\n                 \xc2\x83 CP-7                   \xe2\x80\x93 Alternate Processing Sites\n                 \xc2\x83 CP-8                \xe2\x80\x93 Telecommunications Services\n                 \xc2\x83 CP-9            \xe2\x80\x93 Information System Backup\n                 \xc2\x83 MA-2        \xe2\x80\x93 Controlled Maintenance\n                 \xc2\x83 MA-4            \xe2\x80\x93 Remote Maintenance\n\n         o\t Eight of     organization-defined security control parameters for tailoring the\n            control baseline were not defined.\n                \xc2\x83 AU-5 \xe2\x80\x93 Percentage of maximum audit record storage capacity permitted\n                     before information system takes appropriate actions\n                \xc2\x83 AU-6 \xe2\x80\x93 List of inappropriate or unusual activities that result in alerts\n                \xc2\x83 CM-7 \xe2\x80\x93 List of prohibited and/or restricted functions, ports, protocols,\n                     and/or services\n                \xc2\x83 CP-7 \xe2\x80\x93 Time period by which critical mission functions at the alternate\n                     site must be resumed\n                \xc2\x83 CP-8 \xe2\x80\x93 Time period by which telecommunications services must be\n                     resumed\n                \xc2\x83 CP-9 \xe2\x80\x93 Frequency of testing for backup media to verify reliability and\n                     integrity\n                \xc2\x83 PE-8 \xe2\x80\x93 Frequency of visitor access records review by designated\n                     organization officials\n                \xc2\x83 RA-5 \xe2\x80\x93 Frequency of updates of list of scanned information security\n                     vulnerabilities\n\n\n\n\n                                            Page 5\n\x0c                               OIG FY 2008 FISMA Assessment\n\n\n        o   Ten of 19 physical and environmental controls were incorrectly identified as\n            NOAA common controls.\n               \xc2\x83 PE-8 \xe2\x80\x93 Access Records\n               \xc2\x83 PE-9 \xe2\x80\x93 Power Equipment and Power Cabling\n               \xc2\x83 PE-10 \xe2\x80\x93 Emergency Shutoff\n               \xc2\x83 PE-11 \xe2\x80\x93 Emergency Power\n               \xc2\x83 PE-12 \xe2\x80\x93 Emergency Lighting\n               \xc2\x83 PE-13 \xe2\x80\x93 Fire Protection\n               \xc2\x83 PE-14 \xe2\x80\x93 Temperature and Humidity Controls\n               \xc2\x83 PE-15 \xe2\x80\x93 Water Damage Protection\n               \xc2\x83 PE-16 \xe2\x80\x93 Delivery and Removal\n               \xc2\x83 PE-18 \xe2\x80\x93 Location of Information System Components\n\n  \xe2\x80\xa2\t   Impacts of inadequately defined security controls include:\n         o\t Controls may not have been completely or accurately implemented by the system\n            owner.\n         o\t Certification team lacked information to effectively assess the control.\n         o\t Assessments of physical and environmental controls were incomplete.\n\n\n\nRecommendation\n\n1.1 NOAA should ensure that the authorizing official and senior information security officer\n    review and approve the system security plan prior to certification. The system information\n    should be accurate and proposed security controls should meet the system\xe2\x80\x99s security\n    requirements. Approval should confirm that the SSP\n        \xe2\x80\xa2\t correctly identifies security controls not directly supervised by the system owner,\n        \xe2\x80\xa2\t adequately describes all applicable required control enhancements, and\n        \xe2\x80\xa2\t specifies all security control parameters required to be defined by the\n            organization.\n\n\n\n\n                                            Page 6\n\x0c                                  OIG FY 2008 FISMA Assessment\n\n\n\n2. Secure Configuration Settings Were Not Defined for Some IT Products\n    and None Were Assessed\n       Background: The Department\xe2\x80\x99s IT security policy and NIST SP 800-53 require\n       establishing and assessing secure configuration settings for IT products. Products\n       include operating systems for system components (such as servers, desktops, laptops,\n       routers, and switches) and applications (such as e-mail, Web, VPN, firewall, intrusion\n       detection, database, and antivirus). FISMA and OMB guidance also highlight the\n       importance of secure configuration settings. Implementing and maintaining secure\n       configuration settings is one of the most effective ways of negating threats. Failing to\n       completely assess this critical control leaves the security of a system in serious doubt\n       and undermines the adequacy of the certification.\n\n   \xe2\x80\xa2     Secure configuration settings were defined only for Windows,                     IT\n         products.\n           o Settings were not defined for the following:\n                   \xc2\x83         routers, switches, and firewalls\n                   \xc2\x83           Web server\n                   \xc2\x83                 server\n\n   \xe2\x80\xa2     No secure configuration settings were assessed.\n          o The package contained no evidence that secure configuration settings had been\n              evaluated for any IT product.\n                  \xc2\x83 The certification team inappropriately assessed the control by relying on\n                      a statement from the system security officer who stated, \xe2\x80\x9cConfiguration\n                      settings have been set to the most restrictive modes and enforced on all\n                      components in the NWSTG.\xe2\x80\x9d\n          o During our field work, NWS claimed secure configuration settings had been\n              assessed both with an automated scanning tool and manually. However, we\n              found\n                  \xc2\x83 The scanning tool used could not have assessed the control since it was\n                      not configured to evaluate NWS\xe2\x80\x99 secure configuration baselines.\n                  \xc2\x83 The certification team could not provide any evidence of manual\n                      assessments.\n\nRecommendations\n\nNOAA should ensure that\n\n 2.1 secure configuration settings are defined and implemented for all IT products in the\n     system accreditation boundary in accordance with NIST SP 800-70, Security\n     Configuration Checklists Program for IT Products; and\n\n 2.2 a sample of identically configured components running each operating system variant is\n     assessed for compliance with organizationally defined operating system baselines and\n     appropriate samples of other IT products.\n\n\n\n\n                                               Page 7\n\x0c                               OIG FY 2008 FISMA Assessment\n\n\n\n3. Certification Assessments Were Incomplete and Flawed\n  \xe2\x80\xa2\t   C&A package lacks evidence that security controls were assessed on all applicable\n       system components and applications where the controls are implemented.\n           o\t Network devices including           routers, firewalls, switches, and\n                                        switches and applications including\n                                                    were not assessed.\n           o\t Not all applicable operating systems were assessed for some security\n              controls. (See table 1 for examples.)\n                  \xc2\x83\t The majority of the artifacts referred to in the procedural step\n                       assessment results are for        . Minimal artifacts exist to support\n                       control assessments on Windows and\n                  \xc2\x83\t OIG determinations were based on reviewing the procedural step\n                       assessment results and artifacts. Because some results and artifacts\n                       were insufficient to determine if the control was assessed on all\n                       applicable system components, we considered any other associated\n                       results and artifacts not directly related to the procedural step.\n\n  \xe2\x80\xa2\t   Certification assessment results erroneously indicated that some procedural steps for\n       control assessments were related to NOAA common controls. As a result, the\n       following assessments were not performed during certification:\n            o\t Individual procedural steps:\n                    \xc2\x83 AC-4.2 \xe2\x80\x93 Information Flow Enforcement \xe2\x80\x93 Information flow within the\n                        system and between systems\n                    \xc2\x83 SI-2.7 \xe2\x80\x93 Flaw Remediation \xe2\x80\x93 Test effectiveness of flaw remediation\n                        capabilities\n                    \xc2\x83\t SA-7.3 \xe2\x80\x93 User Installed Software \xe2\x80\x93 Examine firewall logs for\n                        indications of prohibited software\n            o\t All the procedural steps for the following controls: \n\n                    \xc2\x83 AT-3 \xe2\x80\x93 Security Training \n\n                    \xc2\x83 PE-3 \xe2\x80\x93 Physical Access Control \n\n                    \xc2\x83 PE-4 \xe2\x80\x93 Access Control for Transmission Medium \n\n                    \xc2\x83 PE-5 \xe2\x80\x93 Access Control for Display Medium \n\n                    \xc2\x83 PE-6 \xe2\x80\x93 Monitoring Physical Access \n\n                    \xc2\x83 PE-7 \xe2\x80\x93 Visitor Control \n\n                    \xc2\x83 PE-17 \xe2\x80\x93 Alternate Work Site \n\n\n  \xe2\x80\xa2\t   Four security controls that should have been assessed on system components\n       inappropriately relied on interviews and document review. (See table 2.)\n\n  \xe2\x80\xa2\t   Some security control assessments did not follow procedures and contained results\n       inconsistent with evidence. (See table 3 for examples.)\n\n  \xe2\x80\xa2\t   Some certification assessment results did not describe vulnerabilities discovered.\n       (See table 4 for examples.)\n          o\t Assessment results indicated only \xe2\x80\x9cPOA&M\xe2\x80\x9d with no further explanation.\n          o\t If vulnerabilities are not identified and described, officials cannot be certain of\n                   \xc2\x83 the specific deficiencies within the control,\n                   \xc2\x83 the amount of risk that should be attributed to the system from the\n                        failed control assessment, and \n\n                   \xc2\x83 how to mitigate the vulnerabilities. \n\n\n\n\n\n                                            Page 8\n\x0c                               OIG FY 2008 FISMA Assessment\n\n\nRecommendations\n\nNOAA should ensure that\n\n3.1 security controls are assessed on all applicable system components, such as routers,\n    switches, firewalls, applications, and servers;\n\n3.2 control assessments follow applicable procedures; and\n\n3.3 assessment results clearly describe vulnerabilities discovered.\n\n\n\n\n                                           Page 9\n\x0c                                  OIG FY 2008 FISMA Assessment\n\n\n\n4. OIG Assessment of Selected Security Controls Found Significant\nWeaknesses Not Identified by the NWS Security Certification\nAs part of the OIG\xe2\x80\x99s FY08 FISMA evaluation of NWSTG, we assessed a targeted set of system\ncomponents to determine if selected security controls are properly implemented and whether\nrelated system vulnerabilities were identified by NWS\xe2\x80\x99 security certification. We tailored our\nprocedures to the specific control implementations of NWSTG. This tailoring is a necessary part\nof assessing controls adequately and is a crucial component of NIST guidance. The results\nfollow from the steps we took to assess the control, include (or reference) our analysis, and cite\nspecific supporting evidence. (See appendix C.)\n\n    \xe2\x80\xa2   NWS stated that there has been little or no change in security control configurations\n        since certification assessments were performed. Therefore, vulnerabilities identified\n        during OIG assessments most likely existed at the time of security certification.\n    \xe2\x80\xa2   OIG assessments identified significant vulnerabilities that were not identified by NWSTG\n        certification assessments. Thus, the authorizing official was not informed of these\n        vulnerabilities. (See table 5 for a comparison of certification assessment results against\n        OIG assessment results.) These vulnerabilities include the following:\n             o\n\n\n\n\nRecommendations\n\nNOAA should ensure that\n\n4.1 the deficiencies we identified are added promptly to the system\xe2\x80\x99s plan of action and\n   milestones, and remediated in a timely manner; and\n\n4.2 control assessments, both for continuous monitoring and future security certifications,\n    include more thorough interviews, examinations, and tests.\n\n\n\n\n                                              Page 10\n\x0c                                                          OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 1: Examples of Assessments Not Performed on All Applicable Operating Systems.\n\n                                                                                  OIG Determination of Assessment on Applicable Operating\nCertification Test Results from Certification Documentation Package\n                                                                                  Systems\nProcedural Step                            Certification Test Results             Windows\n                                           (full quotation)\nAC-2.20 Test selected automated                                                   Assessed \xe2\x80\x93 We          Not Assessed \xe2\x80\x93 The           Not Assessed\nmechanisms within the information                                                 determined the         artifacts do not relate to\nsystem that support the account                                                   control was assessed   the procedural step.\nmanagement auditing and notification                                              on Windows using\nfunctions to determine if: (i) the                                                the Nessus policy\nmechanisms are operating as                                                       scanner.\nintended; (ii) each of the account\nactions identified produce accurate\nand informative audit records; and (iii)\neach action, as required by the\naccount management procedures,\nresults in notification of appropriate\nindividuals.\nAC-7.2 Examine the information                                                    Assessed \xe2\x80\x93 We          Assessed \xe2\x80\x93 We                Not Assessed\nsystem configuration settings to                                                  determined the         determined that the\ndetermine if the information system                                               control was assessed   control was assessed\nenforces organizational policy and                                                on Windows using       using the results from\nprocedures for unsuccessful login                                                 the Nessus policy      AC-7.3.\nattempts.                                                                         scanner.\n\n\n\n\n                                                                        Page 11\n\x0c                                                          OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 1: Examples of Assessments Not Performed on All Applicable Operating Systems.\n\n                                                                                  OIG Determination of Assessment on Applicable Operating\nCertification Test Results from Certification Documentation Package\n                                                                                  Systems\nProcedural Step                            Certification Test Results             Windows\n                                           (full quotation)\nAC-11.3 Test the session lock                                                     Not Assessed           Not Assessed \xe2\x80\x93 The            Not Assessed\nmechanism by allowing a user                                                                             test result artifact is not\nsession to remain inactive for the                                                                       applicable because it\norganization-defined period to                                                                           only shows\ndetermine if the session lock                                                                            unsuccessful login\nautomatically occurs on the                                                                              attempts. No other\ninformation system and that the                                                                          artifacts indicate this\nsession lock remains in effect until the                                                                 control was assessed.\nuser reestablishes access using\nappropriate identification and\nauthentication procedures.\n\n\nAU-2.1 Examine organizational                                                     Assessed \xe2\x80\x93 The test    Assessed \xe2\x80\x93 The test           Not Assessed\nrecords or documents and the                                                      result does not        result does not indicate\ninformation system configuration                                                  indicate that          that              were\nsettings to determine if the system                                               Windows servers        assessed. However,\ngenerates audit records for the                                                   were assessed;         artifact AU-01\norganization-defined auditable events                                             however, we\n                                                                                  determined that the    contains configuration\n                                                                                  control was assessed   data indicating the\n                                                                                  on Windows using       control was assessed.\n                                                                                  the Nessus policy\n                                                                                  scanner.\n\n\n\n\n                                                                        Page 12\n\x0c                                                       OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 1: Examples of Assessments Not Performed on All Applicable Operating Systems.\n\n                                                                               OIG Determination of Assessment on Applicable Operating\nCertification Test Results from Certification Documentation Package\n                                                                               Systems\nProcedural Step                         Certification Test Results             Windows\n                                        (full quotation)\nAU-4.1 Examine the information                                                 Assessed \xe2\x80\x93 We            Not Assessed           Not Assessed\nsystem configuration to determine if                                           determined the\nthe organization allocates sufficient                                          control was assessed\naudit record storage capacity and                                              on Windows using\nestablishes configuration settings to                                          the Nessus policy\nprevent such capacity from being                                               scanner.\nexceeded.\n\n\n\n\nIA-2.6 Test the appropriate                                                    Assessed \xe2\x80\x93 We            Assessed \xe2\x80\x93 Supported   Not Assessed\ncomponents within the information                                              determined the           by artifact\nsystem to determine if passwords,                                              control was assessed\ntokens, or biometrics meet Level 3                                             on Windows using\nor 4 requirements consistent with                                              the Nessus\nNIST Special Publication 800-63.                                               vulnerability scanner.\n\n\n\n\n                                                                     Page 13\n\x0c                                                      OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 1: Examples of Assessments Not Performed on All Applicable Operating Systems.\n\n                                                                              OIG Determination of Assessment on Applicable Operating\nCertification Test Results from Certification Documentation Package\n                                                                              Systems\nProcedural Step                        Certification Test Results             Windows\n                                       (full quotation)\nSC-10.2 Test the network                                                      Not Assessed         Assessed \xe2\x80\x93 Supported   Not Assessed\ndisconnection capability for the                                                                   by artifact\ninformation system by leaving an\nopen session for a specified amount\nof time to determine if the system\nterminates the network connection as\nexpected.\n\n\n\n\n                                                                    Page 14\n\x0c                                                          OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 2: Assessments that Inappropriately Relied on Documentation and Interviews\n                                                                      Certification Test Results\n  Control                         Procedural Step                                                          OIG Comments\n                                                                            (full quotation)\nAC-2          AC-2.3 Examine selected active user accounts to                                      Results do not indicate whether\nAccount       determine if the organization followed procedures to                                 selected active user accounts\nManagement establish and activate the user accounts and complete                                   on system components were\n              any organization-required documentation.                                             actually examined during\n                                                                                                   certification testing.\n\n\n\n\nCM-6            CM-6.2 Examine selected information system                                         Results do not indicate that\nConfiguration   configuration settings to determine if they are configured                         configuration settings were\nSettings        in accordance with the organization-defined settings.                              assessed on any IT products.\n\n\n\nCP-9            CP-9.2 Examine selected information system backup                                  Results do not indicate that\nInformation     media, or selected records of backups if available, to                             backup media or records of\nSystem          determine if the organization backs up the required                                backups were examined. The\nBackup          user-level and system-level information (including                                 results are just a description of\n                system state information) in accordance with the                                   how the control is implemented\n                organization-defined frequency and stores the backup                               from the SSP.\n                information in designated locations in accordance with\n                information system backup procedures.\n\n\n\n\n                                                                     Page 15\n\x0c                                                       OIG FY 2008 FISMA Assessment\n\n\n\nTable 2: Assessments that Inappropriately Relied on Documentation and Interviews\n                                                                      Certification Test Results\n  Control                      Procedural Step                                                             OIG Comments\n                                                                            (full quotation)\n\n\n\n\nMA-2          MA-2.7 Examine the automated mechanism(s) within                                     Results do not indicate that the\nControlled    the information system to determine if each automated                                automated mechanisms within\nMaintenance   function is properly configured to ensure that periodic                              the information system were\n              maintenance is scheduled and conducted as required.                                  examined. The results indicate\n                                                                                                   that only the Maintenance\n                                                                                                   Procedures and Patch\n                                                                                                   Procedures documents were\n                                                                                                   reviewed.\n\n\n\n\n                                                                  Page 16\n\x0c                                                         OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 3: Examples of Assessments that Did Not Follow Procedural Steps\nControl      Procedural Step                               Certification Test Results   OIG Comments\n                                                           (full quotation)\nAC-2         AC-2.20 Test selected automated                                            The procedural step to test the auditing and\nAccount      mechanisms within the information system                                   notification of account management functions\nManagement that support the account management                                          was not followed. The referenced artifacts do not\n             auditing and notification functions to                                     contain audit records or indicate that account\n             determine if: (i) the mechanisms are                                       management activity notifications occurred. The\n             operating as intended; (ii) each of the                                    artifacts only show that audit log files exist,\n             account actions identified produce accurate                                access to a single directory is restricted, and\n             and informative audit records; and (iii) each                              unsuccessful login attempts are logged.\n             action, as required by the account\n             management procedures, results in\n             notification of appropriate individuals.\nAC-3         AC-3.3 Examine the user access rights on                                   The procedural step of examining user access\nAccess       the information system to determine if user                                rights against documented user authorizations\nEnforcement privileges on the system are consistent with                                was not followed. The referenced artifact does\n             the documented user authorizations.                                        not show any comparison of user permissions\n                                                                                        with the documented TOC Access Control Policy,\n                                                                                        secure configuration baselines, or any other\n                                                                                        documented user authorizations. The artifact only\n                                                                                        shows that audit log files exist and access to a\n                                                                                        single directory is restricted.\nAC-5          AC-5.3 Examine selected information                                       The procedural step to examine information\nSeparation    system accounts to determine if any user                                  system accounts to determine if users have the\nof Duties     has access authorizations or privileges that                              ability to perform conflicting security functions\n              may allow the user to perform multiple                                    was not followed. The results statement was\n              conflicting security functions (e.g.,                                     copied from the SSP and no evidence was\n              (i) mission functions and distinct information                            provided showing that account authorizations or\n              system support functions should be divided                                privileges were assessed. In addition, an\n              among different individuals/roles;                                        interview conducted during certification contained\n              (ii) different individuals perform information                            a statement indicating that\n              system support functions such as system\n              management, systems programming,\n              quality assurance/testing, configuration                                                    We do not have an\n              management, and network security; and                                     independent test group or implementation group.\n\n\n\n                                                                   Page 17\n\x0c                                                          OIG FY 2008 FISMA Assessment\n\n\n\nTable 3: Examples of Assessments that Did Not Follow Procedural Steps\nControl      Procedural Step                                Certification Test Results   OIG Comments\n                                                            (full quotation)\n             (iii) security personnel who administer                                     In our situation the developers test, and the\n             access control functions should not                                         developers are the environment owners.\xe2\x80\x9d\n             administer audit functions).\nMA-2         MA-2.8 Examine the log of maintenance                                       The procedural step to examine the log of\nControlled   actions to determine if the log is up to date,                              maintenance actions was not followed. The\nMaintenance accurate, complete, and available.                                           results only define the location of the logs. There\n                                                                                         is no indication that the logs were examined.\n\n\n\nMA-3           MA-3.2 Examine approved information                                       The procedural step to examine maintenance\nMaintenance    system maintenance tools and associated                                   tools and associated documentation was not\nTools          documentation to determine if the                                         followed. The results only define the location of\n               organization maintains the tools and                                      the maintenance tools and documentation. There\n               documentation on an ongoing basis and if                                  is no indication that the tools or documentation\n               the processes applied are consistent with                                 were examined.\n\n\n\n\n                                                                                                          \n\n               the documented maintenance procedures.\n                                                           \n\n\n\n\nSA-7           SA-7.5 Test network traffic on the                                        The procedural step to perform network packet\nUser           information system to determine if                                        analysis was not followed. The C&A package did\nInstalled      prohibited software is installed and                                      not contain any evidence of network packet\nSoftware       operational by utilizing a network packet                                 analysis.\n\n\n\n\n                                                                                                   \n\n               analyzer. (Note: Applications tend to\n                                                  \n\n\n\n\n\n               communicate on known ports and/or have\n                                                          \n\n\n\n\n\n               signature traffic patterns and common\n                                                    \n\n\n\n\n\n               packets.)\n                        \n\n\n\n\n\nSA-7           SA-7.6 Test the information system for                                    The procedural step to detect and report names\nUser           prohibited software by utilizing a scanner                                of installed software and compare the results\nInstalled      which detects and reports the names of                                    against approved software applications was not\nSoftware       installed software; compare the results                                   followed. Our evaluation of the scanner results\n                                                      \n\n\n\n\n\n               against the approved software applications                                concluded that the scanners did not detect and\n                                                            \n\n\n\n\n\n                                                                    Page 18\n\x0c                                                          OIG FY 2008 FISMA Assessment\n\n\n\nTable 3: Examples of Assessments that Did Not Follow Procedural Steps\nControl      Procedural Step                           Certification Test Results        OIG Comments\n                                                       (full quotation)\n             list.                                                                       report names of installed software. Also, no\n                                                                                         evidence was provided showing that installed\n                                                                                         applications were compared against a list of\n                                                                                         approved software applications.\nSC-14         SC-14.2 Test the publicly available                                        NWS was unable to provide evidence that the\nPublic        information system by attempting to alter                                  procedural step to attempt to alter protected\nAccess        protected information using a public                                       information using a public account was followed.\nProtections   account to determine if access is limited in\n\n\n\n\n                                                           \n\n              order to preserve the integrity of the\n\n\n\n\n                                                     \n\n              information and the applications.\n\n\n\n\n                                                 \n\nSC-18         SC-18.2 Test the information system by                                     The procedural step to test applicable information\nMobile Code   attempting to run mobile code in an                                        system components by attempting to run mobile\n              application where it is specifically prohibited                            code was not followed. The artifact shows\n              to determine if the organization implements                                attempts to access the Internet from scanning\n              mobile code usage restrictions.                                            machines that are not within the accreditation\n                                                                                         boundary. There is also no evidence the\n                                                                                         procedure was performed on applicable system\n                                                                                         components with Internet access.\n\n\n\n\n                                                                    Page 19\n\x0c                                                            OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 4: Examples of Results that Do Not Clearly Indicate Why the Assessment Failed.\n\n                                                                                      Expected Result     Actual Results\n                         Procedural Step\n                                                                                       (full quotation)   (full quotation)\nAC-4.1 Examine information system interconnection\nagreements to determine if the agreements address:\n(i) the types of permissible and impermissible flow of information\nbetween systems; and                                                                                         POA&M\n(ii) the required level of authorization to allow information flow as\ndefined in the information flow enforcement policy and\nprocedures.\nMP-2.7 Test the automated mechanism(s) within the information\nsystem to determine if each automated function is properly\n                                                                                                             POA&M\nconfigured to ensure that media access is restricted as required.\n\nSC-12.1 Interview selected organizational personnel with\nsystem and communications protection responsibilities and\nexamine organizational records or documents (including\ndeveloper design documentation) to determine if the information\n                                                                                                             POA&M\nsystem employs automated mechanisms with supporting\nprocedures or manual procedures for cryptographic key\nestablishment and management and how the mechanisms and\nprocedures are implemented.\nSC-21.2 Test the information system by attempting to launch\nknown attacks against the domain name servers.                                                               POA&M\n\nSI-7.5 Examine organizational records or documents to\ndetermine if the organization assigns responsibility to specific\nparties and defines specific actions to ensure that the software                                             POA&M\nand information integrity control is implemented.                                 .\n\n\n\n\n                                                                        Page 20\n\x0c                                                          OIG FY 2008 FISMA Assessment\n\n\n\n\nTable 5: Comparison of Certification Assessment Results Against OIG Assessment Results\n                 Certification Assessment                                                    OIG Assessment\nProcedural Step                        Certification Test Results   IT        OIG Assessment Results\n                                       (full quotation)             Product\nAC-2.4 Examine a list of recently                                             Disabling inactive system accounts is not enforced on one of the\ndisabled information system                                                   five     components.\naccounts and compare to                                                       We identified an administrator account not used in more than a\nselected system-generated                                                     year but which was not disabled.\nrecords with user IDs and last                                                Disabling inactive system accounts is not enforced on either\nlogin date for each account to                                                          component.\ndetermine if the last log-in date is                                          We found four system administrator accounts that had never\nbeyond the date that the account                                              been used or had been inactive for more than 90 days but had\nis disabled.                                                                  not been disabled.\n                                                                              Disabling inactive system accounts is not enforced on the\n                                                                                       database component. We found two accounts that had\n                                                                              been inactive for at least 100 days but had not been disabled.\n                                                                    Windows   Disabling inactive system accounts is not enforced on three of\n                                                                              the four Windows components. We identified six accounts that\n                                                                              were inactive for at least 1 year or had never been used but had\n                                                                              not been disabled.\nAC-2.20 Test selected automated\nmechanisms within the\ninformation system that support\nthe account management auditing                                                                                               .\nand notification functions to\ndetermine if:\n(i) the mechanisms are operating\nas intended; (ii) each of the\naccount actions identified produce\naccurate and informative audit\nrecords; and\n(iii) each action, as required by\nthe account management\nprocedures, results in notification\n\n\n\n                                                                    Page 21\n\x0c                                                      OIG FY 2008 FISMA Assessment\n\n\n\nTable 5: Comparison of Certification Assessment Results Against OIG Assessment Results\n               Certification Assessment                                               OIG Assessment\nProcedural Step                    Certification Test Results   IT        OIG Assessment Results\n                                   (full quotation)             Product\nof appropriate individuals.\nAC-3.2 Examine access control\nmechanisms to determine if the\ninformation system is configured\nto implement the organizational\naccess control policy.\n\n\n\n\n                                                                Windows\n\n\n\n\nAC-7.3 Test the account lockout\npolicy on selected user accounts\nby exceeding the maximum\nnumber of invalid login attempts\nwithin the organization-defined\ntime period on the information\nsystem to determine if the\ninformation system locks the\naccount/node.\n\n\n\n\n                                                                Page 22\n\x0c                                                      OIG FY 2008 FISMA Assessment\n\n\n\nTable 5: Comparison of Certification Assessment Results Against OIG Assessment Results\n               Certification Assessment                                               OIG Assessment\nProcedural Step                    Certification Test Results   IT        OIG Assessment Results\n                                   (full quotation)             Product\n                                                                                               .\n\n\n\n\nAC-7.8 Examine the information                                  Windows\nsystem configuration settings to\ndetermine if the information\nsystem is configured to\nautomatically lock the                                                                             .\naccount/nodes until released by\nthe administrator when the\nmaximum number of unsuccessful\nattempts is exceeded.\nAU-2.2 Test the information                                                                            .\nsystem by attempting to perform\nactions that are configured to                                  Windows\ngenerate an audit record.                              t                        .\nCM-7.2 Test the information\nsystem to determine if the\nidentified functions, ports,\nprotocols, and services are\nprohibited or restricted.\n\n\n\n\n                                                                Windows\n\n\n\n\n                                                                Page 23\n\x0c                                                        OIG FY 2008 FISMA Assessment\n\n\n\nTable 5: Comparison of Certification Assessment Results Against OIG Assessment Results\n                Certification Assessment                                                OIG Assessment\nProcedural Step                      Certification Test Results   IT        OIG Assessment Results\n                                     (full quotation)             Product\n\n\n\n\nIA-2.3 Test the information\nsystem to determine if passwords,\ntokens, or biometrics meet Level\n2, 3, or 4 requirements consistent\nwith NIST Special Publication\n800-63.\n\n\n\n\n                                                                  Windows\n\n\n\n\n                                                                  Page 24\n\x0c                                                       OIG FY 2008 FISMA Assessment\n\n\n\nTable 5: Comparison of Certification Assessment Results Against OIG Assessment Results\n               Certification Assessment                                                OIG Assessment\nProcedural Step                     Certification Test Results   IT        OIG Assessment Results\n                                    (full quotation)             Product\n\n\n\n\nIA-5.3 Examine organizational\nrecords or documents to\ndetermine if the organization\nchanges default authenticators\nupon information system\ninstallation.\nIA-5.7 Test the information\nsystem to determine if the system\nprotects passwords from\nunauthorized disclosure and\nmodification when stored and\ntransmitted, prohibits passwords\nfrom being displayed when\nentered, enforces password\nminimum and maximum lifetime\nrestrictions, and prohibits\npassword reuse for a specified\nnumber of generations.\n\n\n\n\n                                                                 Page 25\n\x0c                                                         OIG FY 2008 FISMA Assessment\n\n\n\nTable 5: Comparison of Certification Assessment Results Against OIG Assessment Results\n                Certification Assessment                                                 OIG Assessment\nProcedural Step                       Certification Test Results   IT        OIG Assessment Results\n                                      (full quotation)             Product\n\n\n\n\n                                                                   Windows\n\n\n\n\nSI-3.6 Examine malicious code                                      Windows\nprotection mechanisms to\ndetermine if the mechanisms are:\n(i) appropriately updated to\ninclude the latest malicious code\ndefinitions;\n(ii) configured to perform periodic\nscans of the information system\nas well as real-time scans of each\nfile as it is downloaded, opened,\nor executed; and\n(iii) configured to disinfect and\nquarantine infected files.\n\n\n\n\n                                                                   Page 26\n\x0c                                OIG FY 2008 FISMA Assessment\n\n\nAppendix A: Objectives, Scope, and Methodology\n\nTo meet the FY 2008 FISMA reporting requirements, we evaluated the NOAA certification\nand accreditation for the National Weather Service Telecommunication Gateway\n(NOAA8871).\nSecurity certification and accreditation packages contain three elements, which form the basis\nof an authorizing official\xe2\x80\x99s decision to accredit a system.\n\n    \xe2\x80\xa2   The system security plan describes the system, the requirements for security\n        controls, and the details of how the requirements are being met. The security plan\n        provides a basis for assessing security controls and also includes other documents\n        such as the system risk assessment and contingency plan, per Department policy.\n    \xe2\x80\xa2   The security assessment report presents the results of the security assessment\n        and recommendations for correcting control deficiencies or mitigating identified\n        vulnerabilities. This report is prepared by the certification agent.\n    \xe2\x80\xa2   The plan of action & milestones is based on the results of the security assessment.\n        It documents actions taken or planned to address remaining vulnerabilities in the\n        system.\n\nCommerce\xe2\x80\x99s IT Security Program Policy and Minimum Implementation Standards requires\nthat C&A packages contain a certification documentation package of supporting evidence of\nthe adequacy of the security assessment. Two important components of this documentation\nare:\n\n    \xe2\x80\xa2   The certification test plan, which documents the scope and procedures for testing\n        (assessing) the system\xe2\x80\x99s ability to meet control requirements.\n    \xe2\x80\xa2   The certification test results, which is the raw data collected during the\n        assessment.\n\nTo evaluate the C&A package, we reviewed all components of the package and interviewed\nNWS staff to clarify any apparent omissions or discrepancies in the documentation and gain\nfurther insight on the extent of the security assessment. We give substantial weight to the\nevidence that supports the rigor of the security assessment when reporting our findings to\nOMB.\n\nIn addition, we performed our own security control assessments on NWSTG and compared\nour results with NWS\xe2\x80\x99 certification test results. We chose a subset of the control requirements\nspecified in NIST SP 800-53, and a subset of assessment procedures from NIST SP 800-\n53A, Third Public Draft. We tailored the procedures to NWS\xe2\x80\x99 specific control implementations.\nWe did not attempt to perform a complete assessment of each control; instead we chose to\nfocus on specific aspects of some of the more important technical and operational controls.\n\nWe assessed controls on key classes of IT components and applications, choosing a targeted\nset of components from each class that would allow for direct comparison with NWS\xe2\x80\x99\ncertification test results. We assessed control implementations on:             components,\nWindows                                                      ,\n                 (router/switch/firewall combos),                          , and a\n                   . In addition, we examined the security plan descriptions, including related\npolicy documents, and interviewed appropriate NWS personnel.\n\nBecause NWSTG                             security objective, we adapted our assessments to\nminimize the impact on system operations by assessing standby components when possible.\nWe could not perform some assessments on certain system components. For example, we\ndid not assess the creation, modification, or deletion of user accounts on routers, firewalls,\n\n                                           Page 27\n\x0c                                OIG FY 2008 FISMA Assessment\n\n\nand switches. Our assessments included the following activities:\n\n    \xe2\x80\xa2\t   Extraction, examination, and verification of system configurations\n    \xe2\x80\xa2\t   Generation of system events and examination of system logs\n    \xe2\x80\xa2\t   Execution of DISA scripts (Gold Disk)\n    \xe2\x80\xa2\t   Examination of user and group authorizations\n    \xe2\x80\xa2\t   Addition, modification, and deletion of operating system accounts\n\nOur assessment was limited in scope and should not be interpreted as the comprehensive\nreview that a security certification             system would require. However, our\nassessments gave us direct assurance of the status of select aspects of important controls in\nNWSTG and provided meaningful comparison to the NWS security certification.\n\nWe used the following review criteria:\n   \xe2\x80\xa2\t Federal Information Security Management Act of 2002 (FISMA)\n   \xe2\x80\xa2\t U.S. Department of Commerce, IT Security Program Policy and Minimum \n\n      Implementation Standards\n\n   \xe2\x80\xa2\t NIST\xe2\x80\x99s Federal Information Processing Standards (FIPS)\n           o\t Publication 199, Standards for Security Categorization of Federal Information\n                and Information Systems\n           o\t Publication 200, Minimum Security Requirements for Federal Information and\n                Information Systems\n   \xe2\x80\xa2\t NIST Special Publications:\n           o\t 800-18, Guide for Developing Security Plans for Information Technology\n                Systems\n           o\t 800-37, Guide for the Security Certification and Accreditation of Federal\n                Information Systems\n           o\t 800-42, Guideline on Network Security Testing\n           o\t 800-53, Recommended Security Controls for Federal Information Systems\n           o\t 800-70, Security Configuration Checklists Program for IT Products\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978, as\namended, and the Quality Standards for Inspections issued by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency in January 2005.\n\n\n\n\n                                            Page 28\n\x0c                                      UNITED STATES DEPARTMENT OF COMMERCE\n                                      National Oceanic and Atmospheric Admlnlstra~lon\n                                      CHIEF AOr...IINISTRATIVE OFFICER\n\n\n\n\n      9      ?\n\nMEMORANDUM FOR:\t            Judith J. Gordon\n                            Assistant Inspec~ General for Audit and Evaluation\n\nFROM:\t                          ~~~\n                             illiam F. Broglie\n                            Chief Administrative Of er\n\nSUBJECT:\t                   FY 2008 FISMA Assessment ofNWS Telecommunication\n                            Gateway (NOAA8871)\n                            Draft Inspection Report No. OSE-19000/June 2008\n\n\nAttached is the National Oceanic and Atmospheric Administration's response to the\nOffice of Inspector General's draft report on its Federal Information Security\nManagement Act review of the National Weather Service Telecommunication Gateway\nsystem. The response was prepared in accordance with Department Administrative\nOrder 213-3, Inspector General Auditing. We appreciate the opportunity to respond to\nyour draft report.\n\nAttachment\n\x0c                                Department of Commerce\n\n                     National Oceanic and Atmospheric Administration\n\n                        Comments on the Draft OIG Report Entitled \n\n                  \xe2\x80\x9cFY 2008 FISMA Assessment of National Weather Service \n\n                        Telecommunication Gateway (NOAA8871)\xe2\x80\x9d \n\n                                  (OSE-19000/June 2008) \n\n\n\nGeneral Comments\n\nThe National Oceanic and Atmospheric Administration (NOAA) appreciates the opportunity to\nreview the draft Office of Inspector General (OIG) report on the National Weather Service\n(NWS) Telecommunication Gateway (NWSTG). Although corrective actions were underway\nfor many of the recommendations and findings in this report, NWS does not dispute those\ncorrective actions were not yet complete when the OIG assessment took place.\n\nCurrently, the contractor that conducted the NWSTG certification testing is in the process of\nredoing that certification testing at no charge to NWS, and is expected to complete re-\naccreditation of the system by August 29, 2008. NWS has incorporated lessons learned from this\nOIG assessment in current and future Certification and Accreditation (C&A) activities for high\nimpact systems.\n\nSeveral corrective actions were underway when the OIG reviewed this system, including the\nfollowing:\n\xe2\x80\xa2\t Key personnel actions have been completed and others are underway to strengthen the\n   computer security protections for this system and other systems across NWS;\n\xe2\x80\xa2\t Organizational changes have been made and others are underway to provide better subject\n   matter expertise in the oversight of the NWS C&A program (to include creation of a GS-15\n   Chief Information Security Officer position within the NWS Office of the Chief Information\n   Officer to oversee all NWS C&A activities);\n\xe2\x80\xa2\t Computer security program criteria will be added to the annual performance metrics for\n   Regional Directors and other appropriate personnel; and\n\xe2\x80\xa2\t An NWS-wide Information Management Council was established to coordinate C&A\n   processes and knowledge across NWS.\n\nImplementation of additional corrective actions is dependent upon the results of the new NWSTG\ncertification testing.\n\nRecommended Changes for Factual/Technical Information\n\nPage 4, first bullet:\nThe OIG correctly notes the NWSTG System Security Plan (SSP) was not signed when the\ncertification testing began. However, the NWS Information Technology Security Officer (ITSO)\nand the Authorizing Official favorably reviewed the SSP before testing commenced.\n\n\n                                                  1\n\n\x0cNOAA Response to OIG Recommendations\n\nRecommendation 1: \xe2\x80\x9c1.1 NOAA should ensure that the authorizing official and senior\ninformation security officer review and approve the system security plan prior to certification.\nThe system information should be accurate and proposed security controls should meet the\nsystem\xe2\x80\x99s security requirements. Approval should confirm that the SSP\n    \xe2\x80\xa2 correctly identifies security controls not directly supervised by the system owner,\n    \xe2\x80\xa2 adequately describes all applicable required control enhancements, and\n    \xe2\x80\xa2 specifies all security control parameters required to be defined by the organization.\xe2\x80\x9d\n\nNOAA Response: We concur. NWS is hiring a new System Owner, Information System\nSecurity Officer (ISSO), and NWS ITSO and is including as part of the selection process the\ncandidates\xe2\x80\x99 understanding of C&A requirements. As an immediate action, NWS has temporarily\nassigned a highly-qualified System Owner from another NWS component to oversee the\ntechnical corrective actions to address the OIG findings.\n\nNWS is processing an organizational change that will replace the current position of \xe2\x80\x9cNWS\nITSO\xe2\x80\x9d with a new position of NWS Chief Information Security Officer (CISO) at the GS-15\nlevel. Under this organizational change, the new ISSO for NWSTG will report and be\naccountable to the new NWS CISO.\n\nInformation security compliance has been added to the performance appraisal requirements of all\nNWS senior executives, system owners, and information technology (IT) managers. Information\nsecurity compliance includes the need to infuse system security into the organizational culture at\nall levels and to address security needs in budget and resource requirements supporting day-to-\nday operations.\n\nThe SSP is being updated to define all security control enhancements and parameters required\nfor high-impact systems. (Plan of Action and Milestones (POA&M) item: NOAA8871-08.01,\nSecurity control enhancement and parameter definition; scheduled completion date 9/30/09)\n\nThe SSP will also be updated to match current NOAA common controls. (POA&M item:\nNOAA8871-08.02, NOAA common control review and update; scheduled completion date\n9/30/09)\n\nRecommendation 2: \xe2\x80\x9cNOAA should ensure that\n\n2.1 secure configuration settings are defined and implemented for all IT products in the system\naccreditation boundary in accordance with NIST SP 800-70, Security Configuration Checklists\nProgram for IT Products; and\n\n2.2 a sample of identically configured components running each operating system variant is\nassessed for compliance with organizationally defined operating system baselines and\nappropriate samples of other IT products.\xe2\x80\x9d\n\n\n\n\n                                                 2\n\n\x0cNOAA Response: We concur. Through security awareness training and system owner training,\nNWS will provide system owners and technical staff with greater understanding of threats,\nvulnerabilities, countermeasures, and C&A compliance strategies and details.\n\nNWS is also developing a strategy to facilitate investment decisions to support the needs of\nsystem owners to understand and drive compliance with the confidentiality, availability, and\nintegrity requirements of their systems.\n\nSimilarly, contracts and task orders for C&A must include detailed descriptions of the expected\ndeliverables for potential vendors.\n\nAt a technical level, NWS secure configuration baselines are being defined and implemented for\nconfigurable off-the-shelf software, operating systems, and network devices. (POA&M item:\nNOAA8871-08.03, scheduled completion date 9/30/09)\n\nAs part of the current redo of the certification testing, reassessment of all applied secure\nconfiguration baselines is being performed and relevant documentation will be updated to correct\nthe deficiencies from the OIG findings, including maintaining appropriate artifacts, where\napplicable.\n\nRecommendation 3: \xe2\x80\x9cNOAA should ensure that\n\n3.1 security controls are assessed on all applicable system components, such as routers, switches,\nfirewalls, applications, and servers;\n\n3.2 control assessments follow applicable procedures; and\n\n3.3 assessment results clearly describe vulnerabilities discovered.\xe2\x80\x9d\n\nNOAA Response: We concur. NWS is examining resource requirements to provide a\ncomprehensive monitoring capability with technical staff and tools that will provide continuous\nsecurity monitoring of NWS networks, devices, boundaries, and NOAA common controls.\n\nAt a technical level, as part of the redo of the certification testing, re-evaluation and correction of\nprocedural steps relating to NOAA common controls are being performed, as is a reassessment\nof all controls on all applicable system components and software pertaining to a high availability\nsystem. Relevant documentation will be updated after the certification testing is completed.\n\nRecommendation 4: \xe2\x80\x9cNOAA should ensure that\n\n4.1 the deficiencies we identified are added promptly to the system\xe2\x80\x99s plan of action and\nmilestones, and remediated in a timely manner; and\n\n4.2 control assessments, both for continuous monitoring and future security certifications,\ninclude more thorough interviews, examinations, and tests.\xe2\x80\x9d\n\n\n\n                                                   3\n\n\x0cNOAA Response: We concur. At a technical level, NWS is addressing the following:\n\n\xe2\x80\xa2\t Account management policy, procedure, and implementation are being reviewed and\n   modified as necessary. (POA&M item: NOAA8871-08.04, scheduled completion date\n   9/30/09)\n\xe2\x80\xa2\t Audit implementation is being reviewed on all systems and modified as necessary.\n   (POA&M item: NOAA8871-08.04, scheduled completion date 9/30/09)\n\xe2\x80\xa2\t Configuration management, including system integrity controls, is being implemented or\n   modified as necessary. (POA&M item NOAA8871-07, scheduled completion date 9/1/08)\n\xe2\x80\xa2\t The vendor default password found on a                                      appliance is not\n   externally accessible due to network protection, but was changed immediately after the initial\n   OIG briefing. Password management settings are currently being reviewed. (POA&M item:\n   NOAA8871-07.02, scheduled completion date 9/1/08)\n\xe2\x80\xa2\t Identification and baseline configuration of the anti-virus application is currently underway.\n   (POA&M item: NOAA8871-07.02, scheduled completion date 9/1/08)\n\n\n\n\n                                                4\n\n\x0c                                 OIG FY 2008 FISMA Assessment\n\n\n\nAppendix C: Assessment of Selected Security Controls\nA compact disk containing the procedures we used to assess security controls implemented on\nselected system components from the Telecommunication Gateway system was provided to NWS.\nThe disk also included our assessment results, analysis, and supporting evidence.\n\n\n\n\n                                           Page 29\n\x0c"